CIS Spyware Scan (RESOLVED)

Spyware scan reports 152 infections in the Registry but cannot quarantine them. How do I get rid of them? I ran Essentials but it did not find these infections but it did find something in my Hosts file so I deleted it. Now I don’t have a Hosts file any longer.

My PC is slower than a turtle. Can someone help please.

Thanks

try to also run malwarebytes, also host file has to be repaired not deleted, look on google for a replacement one.

Thanks for responding.

I ran Malwarebytes and Spybot S&D both report no problems. I misspoke; it was repaired but when I tried to open it to took at it, Hostsman reported that it was not a valid Hosts file and that no new update existed.

Any ideas?

try to run hitman pro also, let me know if that finds anything.

You should use Emsisoft Emergency Kit instead of obsolete Spybot S&D.

Please use COMODO Cleaning Essentials to clean them up:
According to your operating system, you can download one of the below:

32 Bit:
http://download.comodo.com/cce/download/setups/cce_2.1.215955.162_x32.zip
64 Bit:
http://download.comodo.com/cce/download/setups/cce_2.1.215955.162_x64.zip

While the link seems to be usefull, Spybot isnt obsolete, apart from when you dont use it for what it was meant for.
You just dont need the teatimer function anymore when you have something like comodo.

Ran hitman pro and it found about 12 cookies that seemed nonthreatening but deleted them. No difference.

This is the program that found a bad entry in my hosts file so I let it correct it and tried to open the hosts file but it said it was not a valid hosts file. Had to obtain another copy. Other than that, this program did not find anything.

152 infections in the Registry sounds extreme especially if Malwarebyte’s or Hitman Pro detects nothing. Sounds like a possible rootkit (but doubtful) ? if your running x86 i say throw gmer at it. Try running Norton Power Eraser with the scan for rootkit option.

this app has a restore windows hosts file option. . . might help.

wait are you going by Hostsman or are you going to → C:\Windows\System32\drivers\etc and right clicking the hosts an open with notepad ? Hostsman can’t locate the file i have had this problem before. Unsure why. I think it’s a 64 bit thing.

http://www.sepago.de/helge/2009/06/04/where-is-the-hosts-file-on-windows-x64/

The infections break down like this: 76 “Key” entries and 76 “value” entries. These are all web addresses that were added by something. Most appear to be adservers, 1 ■■■■■ site (I don’t visit ■■■■■ sites) and some others I can’t remember.

I did run one rootkill program that found nothing wrong. I’ll try the 2 programs you suggested.

I could not open the hosts file with either program.

Thanks much.

Ran another spyware scan with CIS and it found nothing. Go figure!

Any thoughts?

Thanks everyone.

Try a scan with:

Bitdefender: BDRemovalTool_TDSS_TDL4
Kasparsky: tdsskiller
Avast: aswMBR

Bitdefender: initialization error - did not run.
Kaspersky: did not find anything
aswMBR: scanned successfully. I saved the log file but not sure I understand it. It’s open and gives the the option to fixmbr or exit. Not sure if it needs fixing.

Here’s the log file contents:

16:24:47.406 OS Version: Windows 5.1.2600 Service Pack 2
16:24:47.406 Number of processors: 1 586 0x5F02
16:24:47.406 ComputerName: FAMILY UserName: Fred
16:24:51.671 Initialize success
16:32:07.296 AVAST engine defs: 11112601
16:32:32.531 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
16:32:32.531 Disk 0 Vendor: Maxtor_6L300R0 BAH41E00 Size: 286188MB BusType: 3
16:32:32.531 Disk 1 \Device\Harddisk1\DR1 → \Device\Scsi\nvgts1Port2Path0Target0Lun0
16:32:32.531 Disk 1 Vendor: Maxtor_7 YAR5 Size: 239372MB BusType: 3
16:32:32.531 Disk 0 MBR read successfully
16:32:32.531 Disk 0 MBR scan
16:32:32.625 Disk 0 Windows XP default MBR code
16:32:32.640 Disk 0 scanning sectors +586099395
16:32:32.765 Disk 0 scanning C:\WINDOWS\system32\drivers
16:32:57.343 Service scanning
16:33:00.843 Modules scanning
16:33:15.625 Disk 0 trace - called modules:
16:33:15.656 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
16:33:15.656 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a575ab8]
16:33:15.656 3 CLASSPNP.SYS[b80e905b] → nt!IofCallDriver → \Device\0000006a[0x8a6019e8]
16:33:15.656 5 ACPI.sys[b7f7f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x8a5ffd98]
16:33:19.093 AVAST engine scan C:\WINDOWS
16:33:57.484 AVAST engine scan C:\WINDOWS\system32
16:44:29.750 AVAST engine scan C:\WINDOWS\system32\drivers
16:45:04.078 AVAST engine scan C:\Documents and Settings\Fred
17:03:59.218 AVAST engine scan C:\Documents and Settings\All Users
17:36:41.718 Scan finished successfully
18:22:52.109 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Fred\My Documents\MBR.dat”
18:22:52.109 The log file has been saved successfully to “C:\Documents and Settings\Fred\My Documents\aswMBR.txt”

Thanks


Are you still with us or gone on to greener pastures? We need to see what’s running in that machine of yours, if you can please run hijack this…

Thanks…
turnorburn

Here is is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:23 PM, on 12/2/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Fred\Download\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ::1 localhost #[IPv6]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11c_Plugin.exe -update plugin
O4 - S-1-5-18 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User ‘SYSTEM’)
O4 - .DEFAULT Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User ‘Default user’)
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191722520906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191722508562
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} (WebBrowserType Class) - https://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
O16 - DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} (Comodo AV Scanner ActiveX) - http://www.personalfirewall.comodo.com/scan/ComodoAVScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)


End of file - 6212 bytes

Thank you.

Could you run this again using the latest version 2.0.4

Thanks… :-TU

One other very important item I’m surprised i didn’t see it, you need to update your OS to SP3…

http://technet.microsoft.com/en-us/windows/bb794714

Is there a reason you haven’t done so?

Thanks…
turnorburn

Sorry, thought I had the latest version.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:17:21 PM, on 12/2/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ::1 localhost #[IPv6]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11c_Plugin.exe -update plugin
O4 - S-1-5-18 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User ‘SYSTEM’)
O4 - .DEFAULT Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User ‘Default user’)
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: MasterCook: Select Image - C:\Program Files\MasterCook 9\Web\MCIEContext.hta
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MasterCook Web Import Bar - {E6EF5071-7647-4E85-9785-87B6CF5CB561} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191722520906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191722508562
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} (WebBrowserType Class) - https://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
O16 - DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} (Comodo AV Scanner ActiveX) - http://www.personalfirewall.comodo.com/scan/ComodoAVScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)


End of file - 6506 bytes

Thanks again.